In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.

Continue Reading Lloyd v. Google: Supreme Court rejects compensation claim

On 13 October 2021, the European Data Protection Board (EDPB) adopted the final version of its Guidelines (10/20) on restrictions of data subject rights under article 23 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) (the Guidelines) during its forty-third plenary session. The adoption comes after a public consultation on the EDPB’s draft guidelines,

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change.

The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its National Data Strategy, published in 2020: to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust.

The UK’s data protection regime has not received a substantive update since 2018 when the European Union’s General Data Protection Regulation (GDPR) took effect, alongside the introduction of the UK’s Data Protection Act 2018. The government’s National Data Strategy has suggested that the UK may start to move away from EU law when it comes to data protection.

According to the Secretary of State, the ultimate aim of the consultation is to ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards’.
Continue Reading DCMS launches public consultation on reforms to the UK’s data protection regime

Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas:

  1. IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
  2. Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
  3. Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.

The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”.
Continue Reading The ICO approves the first UK GDPR certification schemes

The English High Court delivered an important judgement earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB). You can read the judgment here.

Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, or monitor the behaviour of, individuals, they are usually required to appoint a representative. Since Brexit where such processing involves individuals in the UK, a UK based representative is also required under the UK GDPR.

This case concerned the liability of the UK representatives of data controllers based outside the UK. The High Court struck out the claim and held that Article 27 GDPR does not create ‘representative liability’.

Background

The claimant Mr Sansó Rondón brought a claim against LexisNexis Risk Solutions, the designated ‘representative’ of U.S. company World Compliance Inc. (WorldCo). WorldCo is the controller of a database containing millions of profiles of individuals. The claimant argued WorldCo’s processing of his personal data in producing a profile of him breached the GDPR. The defendant applied for the claim to be struck out, or alternatively for summary judgment, arguing that a representative cannot be held liable for the actions of a controller and the remedies sought can only be obtained from a controller.

Continue Reading Is an Article 27 GDPR representative liable for a controller’s breach? Not according to the English High Court

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.

Continue Reading When are Reach Measurement Cookies exempt from the consent requirement?

On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is that personal data can now flow freely from the EU to the UK, effective immediately.

Background

On the 19th February, the Commission published two draft adequacy decisions and launched the procedure for their adoption, which we previously wrote about here. Since then, the Commission has carefully assessed the UK’s laws and practices on personal data protection, including access to data by public authorities in the UK. The European Data Protection Board gave its opinion on the draft decisions in support of the Commission’s findings, which we also blogged about here, before finally receiving the ‘green light’ from the EU Member states’ representatives.

The Commission’s 93-page GDPR decision assesses the legal framework for the UK in detail even referencing laws such as the Magna Carta and Bill of Rights, and states ‘As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.’ They conclude  that ‘the Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.’

Continue Reading UK adequacy decision for European data transfers

The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers